1 HW ( ) - ( ) 2 3 HAZOP (1) (2) (3) 1 (4) (5) (6) (7) (1)-(7) 3. HAZOP HAZOP 3.1 IEC ) HAZOP 1 2 c 2009 Informa

HAZOP 1 1 3 2 2 HAZOP A Method of Deriving Anomaly Detection Rule by HAZOP Analysis Takahiro Hidaka, 1 Fumio Yamazaki, 1 Yukikazu Nakamoto, 3 Shinya Honda 2 and Hiroaki Takada 2 With enlargement the scale of automotive systems, it becomes harder to verify by traditional method. In this study, we propose to derive anomaly detection rule from result of HAZOP. And we evaluate this method by example and implementation. We show this method is valid for component oriented software, and easy to adopt rule for constraint of embedded system. 1. AUTOSAR FMEA FTA HAZOP 1) HAZOP 1 Center for Embedded Computing Systems, Nagoya University 2 Graduate School of Information Science Nagoya University 3 Center for Embedded Computing Systems, Nagoya University / Graduate School of Applied Informatics University of Hyogo 1 c 2009 Information Processing Society of Japan

1 HW - - - ( ) - ( ) 2 3 HAZOP 4 5 6 1 2. 2.1 3 1 2.2 1 (1) (2) (3) 1 (4) (5) (6) (7) (1)-(7) 3. HAZOP HAZOP 3.1 IEC 61882 2) HAZOP 1 2 c 2009 Information Processing Society of Japan

2 2 HAZOP no - less - - - more - - - other than - - - - part of - - - - reverse - - - - early - - - - late - - - - 3) IEC 61508 4) HAZOP HAZOP HAZOP ( 1 ) ( 2 ) ( 3 ) 3 3.2 HAZOP 2 R( ) 2 HAZOP 3 1 30 (30fps) 2 no, less, more ( ) ECU HAZOP 4 no late 3 3 2 3 3 c 2009 Information Processing Society of Japan

3 HAZOP = 30(fps) no 4 less 3 more, 3 part of 3 reverse 3 other than 2-100 < < 100 no 2 less 3 more 3 = {P, R, N, D, 2} no 2 reverse 3 other than 3 = 30(fps) no 4 less 3 more 1 part of 3 reverse 3 < 30(ms) late 4 3.3 HAZOP ( 3) HAZOP HAZOP HAZOP 4 4 4 (s) no 1 4 less fps < 20 3 3 more fps > 30 3 3 part of CRC 1 3 reverse CRC 1 3 other than - - - - no 60 2 less < -100 3 more > 100 3 no 60 2 reverse = 3 other than = 1 3 no 1 4 less fps < 20 3 3 more fps > 30 3 1 part of CRC 1 3 reverse CRC 1 3 late - > 30ms 4 less fps<20 part of/reverse CRC HAZOP 4. Unix OS 3 2 5 4 c 2009 Information Processing Society of Japan

libdtrace 6) no, less, more, other than, early, late 2 part of, reverse DTrace D 1 syscall read/write profile 1 1 D 3 5 HAZOP DTrace TCP/IP 4.1 DTrace Sun Microsystems DTrace 5) DTrace Solaris FreeBSD MacOSX OS OS D DTrace OS count() 1 interval.d 1 syscall :: write : entry 2 / pid == $target && trace_count_rw / 3 { 4 @write_count [ arg0 ] = count (); 5 } 6 syscall :: read : entry 7 / pid == $target && trace_count_rw / 8 { 9 @read_count [ arg0 ] = count (); 10 } 11 profile :: tick -1s 12 / trace_count_rw / 13 { 14 printa (" MSG : count_rw write sock=%d, count=% @d\n", @write_count ); 15 printa (" MSG : count_rw read sock=%d, count=% @d\n", @read_count ); 16 clear ( @write_count ); 17 clear ( @read_count ); 18 } / 2 syscall read DTrace copyin() 5 c 2009 Information Processing Society of Japan

1 self int read_sock ; 2 self int read_buf ; 3 2 4 syscall :: read : entry 5 / pid == $target / 6 { 7 self ->read_sock = arg0 ; 8 self ->read_buf = arg1 ; 9 } 10 syscall :: read : return 11 / pid == $target && 0 < arg0 && trace_value / 12 { 13 printf (" MSG : value read sock =%d, buffer =%d\n", 14 self ->read_sock, 15 *(( char *) copyin (self ->read_buf, 1))); 16 } value.d 実行時間 (%) 45 40 35 30 25 20 15 10 5 0 no null noval all メモリ使用量 (KB) 6000 5000 4000 3000 2000 1000 0 メモリ使用量 user 時間 sys 時間 4.2 libdtrace D DTrace D SIGTERM 5. 4 Intel Core2Duo + VMware Server no:, null:, noval:, all: 4 all noval 4 4 実行時間比 1.1 1.08 1.06 1.04 1.02 1 0.98 user 時間 sys 時間 0.96 no null noval all 5 user /sys ( :%) mem( :KB) 5 (user,sys) 1 8% 4 6% 6 c 2009 Information Processing Society of Japan

6 MAPE-K MAPE-K Monitor DTrace Analysis Plan - - Execution Knowledge HAZOP 6 MAPE-K 3MB DTrace 6. IBM 6 MAPE-K 7) IBM 8) MAPE-K Monitor,Analysis,Plan,Execution,Knowledge 5 6 MAPE-K Knowledge,Analysis HAZOP Monitor DTrace Plan Plan (Anomaly detection) (Intrusion Detection System) 2 9) CPU 10) 11) HAZOP 7. HAZOP DTrace 7 c 2009 Information Processing Society of Japan

HAZOP CRC MAPE-K Plan RTOS BR OS on Object/Component/Service-Oriented Real-Time Distributed Computing, pp.257 266 (2009). 11) Waizumi, Y., Kudo, D., Kato, N. and Nemoto, Y.: A New Network Anomaly Detection Technique Based on Per-Flow and Per-Service Statistics, Computational Intelligence and Security, Splinger Verlag., pp.252 259 (2005). 1) ISO13849-1(JIS B9705-1) IEC60204-1(JIS B9960-1) IEC61508(JIS C0508) ( ) (2007). 2) IEC 61882: Hazard and operability studies (HAZOP studies)- Application Guide (2001). 3) Redmill, F., Chudleigh, M. and Richard, J.C.: System Safety: HAZOP and Software HAZOP, Wiley-Blackwell (1999). 4) IEC 61508: Functional safety of electrical/electronic/programmable electronic safety-related systems (2005). 5) McDougall, R., Mauro, J. and Gregg, B.: Solaris Performance and Tools : DTrace and Mdb Techniques for Solaris 10 and OpenSolaris, Prentice Hall (2006). 6) Sun Microsystems, Inc.: libdtrace(3lib), http://docs.sun.com/app/docs/doc/816-5173/6mbb8adt2. 7) IBM: An Architectural Blueprint for Autonomic Computing, http://www.ibm.com/autonomic/pdfs/ac Blueprint White Paper 4th.pdf (2006). 8) PROVISION 58, IBM (2008). 9) Meadows, C.: A Formal Framework and Evaluation Method for Network Denial of Service, Processings of the 1999 IEEE Computer Society Foundations Workshop, pp.4 13 (1999). 10) Sugaya, M., Ohno, Y., vander Zee, A. and Nakajima, T.: A Lightweight Anomaly Detection System for Information Appliances, Processings of IEEE Symposium 8 c 2009 Information Processing Society of Japan